Clifford Stoll, author of The Cuckoo’s Egg, an investigation into the hacking of the Lawrence Berkeley National Laboratory that led to the capture of hacker Marcus Hess, famously said: “Treat your password like your toothbrush. Don’t let anyone else use it and get a new one every six months.”
The paper, How Effective is Multifactor Authentication (MFA) at Deterring Cyberattacks? concludes that implementing MFA leads to a 99.22% reduction in the risk of compromise across the entire population and a 98.56% reduction even in cases where credentials have been leaked.
To be clear, MFAs can be hacked. Roger Grimes, the defence evangelist at KnowBe4, published a 41-page ebook in which he details over 12 ways to hack MFA but that’s for another podchat.
Persistent use despite proven vulnerabilities
Asked why six decades following the introduction of passwords, this authentication method to access remains in force, Andrew Shikiar, executive director with FIDO Alliance, pointed to another authentication method – two-factor authentication (2FA), introduced 30 years ago – it too faces increasing risks of bypass attacks.
He pointed out that the solution lies in replacing passwords entirely due to their fundamental flaws. Recent technological advancements, widespread device support, and a growing imperative suggest we are on the verge of overcoming passwords.
He opined that despite their drawbacks, passwords persist due to their long-standing presence and universal use. “The FIDO Alliance aims to address these challenges, ensuring that alternatives like passkeys are as convenient and enjoyable as passwords,” he continued.
Influence of generative AI in cybersecurity
In the year since ChatGPT’s public release, AI and machine learning have significantly impacted various domains. Shikiar acknowledges that while AI offers benefits like advanced threat detection in cybersecurity, it also introduces risks, particularly in identity breaches.
“With the rise of nefarious generative AI tools like Evil GPT, phishing attacks have become more sophisticated and challenging to detect, placing a heavier burden on employees to discern fake messages.”
Andrew Shikiar
“This trend underscores the urgency of moving away from knowledge-based credentials, as employees face increasing difficulty distinguishing between genuine and deceptive communications in the ever-evolving cybersecurity landscape,” he added.
The role of passwordless authentication
According to Shikiar, the FIDO approach utilises asymmetric public key cryptography, simplifying its application for users. In contrast to traditional password systems, FIDO’s possession-based authentication requires users to authenticate locally, activating a unique key pair with the private key stored on the user’s device and the public key on a server.
“This prevents remote attacks, offering enhanced security. Even if a user falls for a phishing attack, FIDO’s possession-based nature hinders unauthorised access. Notably, understanding the vulnerabilities of multi-factor authentication (MFA) is crucial, as MFA methods transmitting human-readable secrets over networks, such as SMS OTPs, push notifications, and COTP apps, can be bypassed by AI-driven attacks,” he elaborated.
The growing influence (and threat) of AI
As AI grows in prevalence, are organisations ready and able to navigate the challenges of addressing passwords or other authentication methods to ensure a higher level of security? Shikiar says consumers are increasingly aware of both positive and negative aspects of AI, including AI-driven attacks and deep fakes.
He acknowledges that the anticipated rise in AI-generated attacks in 2024 may lead to heightened public concern and fear. “As a result, consumers are expected to demand authentication methods with enhanced security and reduced friction,” he opined.
Shikiar believed that to address potential fears, CISOs and service providers must proactively communicate their commitment to security. “Passkeys, developed collaboratively by major technology companies and endorsed by regulatory bodies, are highlighted as a secure authentication solution, instilling confidence in users,” he continued.
Can passkeys evolve alongside AI?
Cyberwarfare is akin to a cat-and-mouse game with both the pursued and pursuing raising the ante in the process. Shikiar opined that adding layers to the flawed foundation of passwords has proven insufficient.
“We need to transform the authentication paradigm entirely, replacing passwords with an unphishable solution like passkeys and FIDO,” he added.
He acknowledged that while not a silver bullet for all AI attacks, passkeys effectively thwart API credential attacks focused on extracting credentials from users through social engineering.
“Looking ahead, the combination of AI and post-quantum computing poses a potential threat, and we are exploring ways to handle that situation. However, in the immediate future, I’m quite confident that AI-driven credential attacks will not overtake the ability to protect yourself with passkeys.”
Andrew Shikiar
The future of access and authentication
Shikiar says consumers are increasingly offered the option of using passkeys, with Google enabling it for all account users. He noted that various services and government entities across APAC are integrating passkeys, such as GovTech in Singapore for Singpass and the Australian Government for their government services. Air New Zealand has also adopted passkeys for its customers.
The FIDO Alliance is concentrating on enabling successful passkey implementations by creating resources that guide organisations on deployment, measurement of success, and lifecycle management.
“The emphasis on user experience (UX) guidelines we created this year aims to ensure positive consumer adoption, recognising the importance of making a lasting impression on users for wider acceptance,” he added.
Driving the adoption of passkeys in-house
Recent incidents of hackers targeting cloud services providers (CSPs) highlight the urgency for robust user authentication practices.
For any organisation that is outsourcing core functions to third-party service providers, Shikiar strongly advocates for requiring multi-factor authentication (MFA) in service-level agreements. He encouraged C-suite executives, including CEOs, to champion MFA adoption within their organisations and demand its implementation from CSPs.
“Aligning cybersecurity practices with business interests, CEOs should also actively support their CISOs in promoting a culture of cybersecurity and the adoption of secure measures like FIDO security keys or passkeys,” he concluded.
Click on the PodChat player to hear in detail, Shikiar’s assertions on the future of passkeys and authentication.
- FIDO was founded in 2012. Twelve years on, why are organisations/users still relying on passwords to access systems and data?
- How has generative AI reshaped the cybersecurity landscape, particularly when it comes to identity access management?
- How can passwordless authentication methods, like biometrics or passkeys, help protect against AI-driven cyber threats?
- Are there any specific industries or sectors that are particularly susceptible to AI-fuelled scams?
- Why are these organisations at greater risk from AI-fuelled scams?
- How can they benefit from implementing passwordless authentication to enhance their security posture?
- 2024 is just around the corner. What can we expect as regards how organisations secure access to data and systems?
- As more enterprises use the cloud, how should CISOs and CIOs engage their cloud service providers as regards the use of passkeys and other authentication technologies?
